Data privacy during COVID-19: Trust is hard earned – but easily lost

---

The coronavirus pandemic has prompted millions of people to work from home, do their shopping online, and communicate with friends and family through websites and apps that they hadn’t used before – or perhaps hadn’t even heard of before.

New technologies have allowed us to continue our daily lives. But as we embrace this new approach to communications, many of us have quickly placed our trust in companies, and in how they treat our personal data, when before we may have been more circumspect. Helping people continue living as normally as possible during these tough times should not be done at the expense of protecting individuals’ right to privacy and responsible data handling practices.

It is well known that the monetisation of personal data has been one of the major drivers behind the rapid growth of the technology industry, especially for the likes of Google and Facebook.

Right now, people are hunting for new ways to enhance their online lives, but while that offers potential, and value, in the collection and use of personal data, there remains the significant issue of customer trust.

It has been estimated that the personal data market could generate $500bn by 2024¹ . Provided individual privacy rights are protected, in our view, this represents a major opportunity for investors.

At the same time, companies exposed to the processing of personal data are at greater risk. This is due to stricter laws around data privacy, such as the European Union’s General Data Protection Regulation (GDPR) which came into force in May 2018.

In the first year of GDPR implementation more than 140,000 queries and complaints were made to data protection authorities² , highlighting the vast extent to which citizens care about how their personal data is being used.

As it stands, when it comes to data privacy, it is not easy to differentiate between firms with good and bad practices. In fact, there is surprisingly little comparable information available on this issue which is so financially and reputationally material to companies, investors and customers.

This is in part due to the inconsistent quantity and quality of transparency around data privacy issues. According to the most recent report on the matter by MSCI, 75% of companies in the MSCI All Country World Index do not actually provide evidence of personal data usage minimisation – i.e. firms essentially limit personal data records to just relevant information.³

Transparency and trust – the difference between opportunity and risk

Data processing enables new pathways to value creation and large-scale customisation, which are at the heart of gaining and retaining customers – particularly at a time such as this. The collection of personal data creates a deep knowledge of users’ preferences, which is key in creating and delivering sustainable client value.

We believe the key factor in making the data opportunity sustainable is, ultimately, customer trust. If companies obtain and maintain users’ consent in processing their data and provide value to them in exchange for their personally identifiable information, data will remain on the opportunity side. This is why we urge companies exposed to the collection of personal data to adopt responsible practices.

The data opportunity rests on transparency towards individuals. It only works when customers give their consent on personal data processing and have the knowledge of the type of data that is collected and how it is used. Simply providing them with the terms and conditions is insufficient. That is why the boundary between the upsides and downsides, related to data privacy, is narrow.

The edge of this boundary lies in customers’ knowledge and active consent around these issues. When customers are not aware of this, companies are highly exposed to data privacy risks. As the coronavirus lockdown continues in multiple regions, and as consumers commit rapidly to more new online services, the effective management of that boundary will be vital.

Figure 1⁴ shows what marks the difference between data opportunity and data risk. The area highlighted in yellow corresponds to the type of data and usage for which the opportunity can turn into risk. This is where breaches in customer trust can happen. Data privacy risks are higher when:

• Personal data that is collected is the most sensitive, and the more it is processed by companies – i.e. profiling data
• The use of personally identifiable information only benefits the company at the expense of customers who do not get value in exchange of their personal data – i.e. selling to third parties

The role of third parties is central in defining the boundary between data opportunity and privacy risks. Companies need to assess to what extent their data processing practices are risky in terms of data privacy. And investors should pay attention to whether data privacy policies apply to business partners and third parties.

Figure 1: The limit between data privacy opportunities and risks⁵

Image

Best practice in data handling: An investor’s guide

How can investors identify good business practice around data management? Our research highlighted some positive traits, which can be useful when assessing the investment case for a company.

We believe that companies should be transparent in their disclosure on rules and policies around the processing of personal data and the way that customers’ personal data is used. This point is closely linked to the opportunity related to customer trust and retention.

The personal data that is collected should be only a reasonable and relevant amount. It should be useful to the company’s business model – rather than handling huge amounts of data which have no immediate use, reasoning that it might be valuable someday.

Companies exposed to data privacy issues should guarantee the highest level of privacy protection by default. We believe this means firms should:

• Implement proactive data privacy measures and policies
• Automatically protect users’ privacy
• Integrate data privacy at the roots of systems and practices
• Ensure transparency and visibility around personal data collection and usage
• Prioritise individuals’ interest regarding their personal data

Furthermore, we believe that the investment industry can – and should – leverage its influence on investee companies around data privacy issues.

We would like to see improved transparency and disclosure around data privacy practices, including reporting on compliance with GDPR and data privacy performance. This is particularly relevant for big technology companies, but also valid for any and every company which is exposed to the collection, handling and processing of personal data.

Companies themselves need to ensure they have a sound organisational structure and enough resourcing to understand the data privacy risks which they face – with oversight by the board and senior executives.

Businesses that operate in different markets should also, in our view, adopt a single global approach on data privacy where possible. If not, they should be able to explain why they have had to adopt varying jurisdiction-by-jurisdiction standards of data privacy

In this difficult moment for the world, it is clear that there is an opportunity for digital technology companies to build on the rapid take-up of online consumer services. These businesses are helping us to weather an incredible storm, and if they can make sure these key privacy issues are addressed – by adopting responsible data privacy practices -, then we believe that investors may find solid opportunities in the sector as data becomes an ever more valuable commodity.